Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  Training and Awareness  ›  Lock Down Your Login  ›  Password Management

Password Management

Passwords are the most common way to prove we are who we say we are when it comes to using websites, social media accounts, email, and even the computer itself. Passwords also give us and others access into mobile phones, bank applications, work log-ins, and confidential files. For many online systems, a password is the only thing keeping a hacker from stealing our personal data. With all of the research and software programs available to help protect passwords, computer users are still making the same errors such as reusing passwords for multiple accounts, using personal information in a password, using commonly known passwords, and creating passwords with minimum characters. These common user errors make it easy for a scammers to crack a password and compromise an account in a matter of minutes.

The following information will provide specifics on how scammers are stealing passwords, as well as what you can do to manage your passwords and keep your accounts secure.

Types of Password Attacks 

Keylogger Attacks
A keylogger is a type of surveillance technology used to record and monitor each keystroke typed on a device keyboard. Scammers use keyloggers as a spyware tool to steal personal information, login information, and sensitive enterprise data.

How to Protect Yourself
Use a firewall to prevent a keylogger from transmitting information to a third party. You can also install a password manager, which will autofill your passwords and prevent keyloggers from accessing your credentials. Make sure to also keep your software updated, as keyloggers can take advantage of software vulnerabilities to inject themselves into your system.

Brute Force Attacks
We use passwords that are simple, relevant and can be guessed within a few tries. When using the brute force method, hackers use software that repeatedly tries several password combinations. This is a reliable way to steal your information, as many users use passwords as easy as “password” or “123456”.

How to Protect Yourself
There are a number of ways to prevent brute force attacks. First, you can implement an account lockout policy, so after a few failed login attempts, the account is locked until an administrator unlocks it. You can also implement progressive delays, which lock out user accounts for a set period of time after failed attempts, increasing the lock out time after each failed attempt.

Dictionary Attacks

In 2012, more than 6 million passwords were hacked on LinkedIn due to a dictionary attack. A dictionary attack works by systematically entering every word and combination of words in a dictionary as a password. Dictionary attacks seem to succeed because people have a tendency to choose short, common passwords. How to Protect Yourself

How to Protect Yourself
Choose a password that is at least 8 characters. Avoid any words in the dictionary, or common preditable variations on words. Use SSH keys to connect to a remote server to store your password or use a password manager to create long strands of numbers, letters, and symbols.

Phishing Attacks
Phishing attacks involve hackers using fake emails and websites to steal your credentials. They are most commonly emails that disguise as legitimate companies, asking you to download a file or click on a link. Most commonly, phishing attacks can involve a hacker masking as a financial instution or University department.

How to Protect Yourself

Be cautious of email messages that come from unrecognized senders, are not personalized, ask you to confirm personal or financial information, or are urging you to act quickly. Do not click on links, download files, or open attachments from unknown senders or if they seem out of the ordinary. Check the email domain name and email headers to identify who the email is actually being sent from. Be mindful of the type of information you include in an email message as the message can be breached. 

What is a Password Manager?

Password managers are the ultimate solution for generating and storing passwords for multiple websites. Password managers can generate and store strong, unique passwords for each of your accounts. The password data is then encrypted and stored in the cloud or on your device meaning you do not need to memorize themThe only thing you will need to remember is your login details for the password manager app.

For more information on which password manager is best for you, check out the descriptions of approved Password Managers.

Resources